Cyber Resilience

CVE-2026-3063

Medium

Published: 23 February 2026

Published
23 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
EPSS Score 0.0018 8.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3063 is a medium-severity an unspecified weakness vulnerability in Google Chrome. Its CVSS base score is 5.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Extensions (T1176.001); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3063 is an inappropriate implementation vulnerability in the DevTools component of Google Chrome prior to version 145.0.7632.116. It enables an attacker who convinces a user to install a malicious extension to inject scripts or HTML into a privileged page via DevTools. The issue affects Chromium-based browsers, with a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) and High severity as rated by Chromium security.

The attack requires an attacker to socially engineer a user into installing a malicious browser extension, which then exploits DevTools to perform script or HTML injection on privileged pages. Successful exploitation results in low-impact confidentiality and integrity violations, such as limited unauthorized data access or content modification, with no availability impact and requiring user interaction.

Mitigation is provided in the Google Chrome stable channel update to version 145.0.7632.116 or later, as announced in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html. Additional technical details are documented in the Chromium issue tracker at https://issues.chromium.org/issues/485287859. Security practitioners should advise users to update promptly and exercise caution with extension installations.

EU & UK References

Vulnerability details

Inappropriate implementation in DevTools in Google Chrome prior to 145.0.7632.116 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via DevTools. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1176.001 Browser Extensions Persistence
Adversaries may abuse internet browser extensions to establish persistent access to victim systems.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Vulnerability is directly triggered by a malicious browser extension (T1176.001) after user installation/execution of that extension (T1204.002), enabling unauthorized script/HTML injection into privileged DevTools pages.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2319Same product: Apple Macos
CVE-2026-4458Same product: Apple Macos
CVE-2026-3539Same product: Apple Macos
CVE-2026-7976Same product: Apple Macos
CVE-2026-5287Same product: Apple Macos
CVE-2026-5904Same product: Apple Macos
CVE-2026-5910Same product: Apple Macos
CVE-2026-5908Same product: Apple Macos
CVE-2026-6305Same product: Apple Macos
CVE-2026-4455Same product: Apple Macos

Affected Assets

google
chrome
≤ 145.0.7632.116 · ≤ 145.0.7632.117

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly restricts or authorizes user-installed browser extensions that are required for exploitation.

prevent

Requires prompt application of the vendor patch that eliminates the DevTools injection flaw.

prevent

Enforces least privilege so a malicious extension cannot reach privileged pages even if installed.

References